[oi-dev] OpenSSL 1.0.0 replacing 0.9.8 in userland-gate = massive headache
Garrett D'Amore
garrett at damore.org
Sat Sep 3 23:30:56 UTC 2011
So, I believe that 3 might not be such a bad option, because I think technically the openssl package and APIs have historically been considered "Private" (i.e. unstable and not for use by ISVs.) This is the Solaris view of it at any rate.
- Garrett
On Sep 3, 2011, at 1:56 PM, Alasdair Lumsden wrote:
> Hi All,
>
> In Oracle's official userland-gate, they have replaced OpenSSL 0.9.8 with 1.0.0. This has massive ramifications, because everything linked against OpenSSL 0.9.8 breaks as soon as library/security/openssl gets upgraded, including pkg, which is all kinds of fun.
>
> There are two realistic options, and one unrealistic idealistic option:
>
> 1. Don't bother upgrading to OpenSSL 0.9.8, worry about it another day
>
> 2. Do the upgrade, but also ship an openssl 0.9.8 compatibility package and make the new one depend on it - this lets old software continue to run whilst recompiles pick up the new OpenSSL. Slowly transition to OpenSSL 1.0.0.
>
> I've made such a package by pkgrecv'ing openssl 0.9.8, hacking out everything except the libraries and republishing it locally as library/security/openssl/compatibility/0.9.8 - works fine.
>
> 3. Do the upgrade. Rebuild everything against OpenSSL 1.0.0, and release rebuilt software with the openssl 1.0.0 upgrade, in one simultaneous release.
>
> Obviously 3 has ramifications beyond the base system, because any third party software that depends on OpenSSL 0.9.8 will break. This is why having a compatibility package is probably necessary regardless.
>
> I've provided a list of software below that depends on OpenSSL, which affects these consolidations:
>
> gnome
> ips
> l10n
> oi-build
> osnet
> sfw
> vpanels
>
> Thankfully those are all ones we can easily rebuild, (indeed, sfw is gone), with the exception of gnome (JDS) which, without a replacement for Distro Importer in the new continuous integration world, is quite tricky.
>
> My personal preference is 2, although ideally we need to convert OpenSSL 0.9.8 to oi-build format to make the compatibility package, for sustaining/security patches. Hacking the package together was good for a proof of concept but we need to be able to rebuild it/update it.
>
> Comments welcome!
>
> Cheers,
>
> Alasdair
>
>
> consolidation/sfw/sfw-incorporation - sfw sfw
> crypto/gnupg - oi-build sfw
> database/postgres-82 - sfw sfw
> database/postgres-82/contrib - sfw
> database/postgres-82/developer - sfw
> database/postgres-82/library - sfw
> database/postgres-83 - sfw sfw
> database/postgres-83/contrib - sfw
> database/postgres-83/developer - sfw
> database/postgres-83/library - sfw
> database/postgres-84 - sfw sfw
> database/postgres-84/contrib - sfw
> database/postgres-84/developer - sfw
> database/postgres-common - sfw
> database/postgres/pg_upgrade - sfw
> database/postgres/pgadmin - sfw
> desktop/gftp - gnome
> desktop/irc/xchat - gnome
> desktop/remote-desktop/rdesktop - oi-build gnome
> desktop/system-monitor/gkrellm - gnome
> desktop/torrent/transmission - gnome
> diagnostic/httping - oi-build sfw
> diagnostic/nmap - oi-build sfw
> library/gnome/gnome-vfs - gnome
> library/libtorrent - oi-build sfw
> library/neon - oi-build sfw
> library/openldap - sfw
> library/perl-5/net-ssleay - sfw
> library/perl-5/postgres-dbi - sfw
> library/print/cups-libs - oi-build sfw
> library/python-2/m2crypto - oi-build ips ips
> library/python-2/m2crypto-26 - oi-build
> library/python-2/pycurl - oi-build ips ips
> library/python-2/pycurl-26 - oi-build
> library/python-2/pyopenssl-24 - sfw
> library/python-2/pyopenssl-26 - oi-build sfw
> library/raptor - gnome
> library/security/pam/module/pam-pkcs11 - oi-build sfw
> library/security/trousers - oi-build sfw
> library/xmlrpc-c - sfw
> mail/fetchmail - oi-build sfw
> mail/mutt - oi-build sfw
> network/chat/irssi - gnome
> network/dns/bind - oi-build oi-build sfw sfw
> network/nntp/slrn - oi-build sfw
> network/ssh - osnet osnet
> network/ssh/ssh-key - osnet
> network/tor - sfw
> package/svr4 - osnet
> print/cups - oi-build sfw
> print/filter/hplip - oi-build sfw
> redistributable -
> runtime/erlang - oi-build sfw
> runtime/python-24 - gnome
> runtime/python-25 - gnome
> runtime/python-26 - gnome
> runtime/ruby-18 - oi-build sfw
> runtime/tcl-8/tcl-openssl - oi-build sfw
> service/database/postgres-82 - sfw
> service/database/postgres-83 - sfw
> service/database/postgres-84 - sfw
> service/network/dns/bind - oi-build sfw
> service/network/load-balancer/pen - sfw
> service/network/ntp - oi-build sfw
> service/network/smtp/sendmail - osnet
> service/network/ssh - osnet
> service/network/wpa - osnet
> service/security/kerberos-5 - osnet
> service/security/stunnel - sfw
> system/boot/wanboot - osnet
> system/input-method/iiim - l10n
> system/library - osnet
> system/library/security/crypto/pkcs11_kms - osnet
> system/management/cim/pegasus - sfw
> system/management/ipmitool - oi-build sfw
> system/management/rad - vpanels
> system/management/visual-panels - vpanels
> system/management/web/openwsman - sfw
> system/management/webmin - sfw
> web/browser/elinks - oi-build sfw
> web/browser/links - oi-build sfw
> web/browser/lynx - gnome
> web/browser/w3m - gnome
> web/curl - oi-build sfw
> web/php-52 - sfw
> web/proxy/squid - oi-build sfw
> web/server/apache-13 - sfw
> web/server/apache-22 - oi-build sfw
> web/server/ejabberd - oi-build sfw
> web/server/lighttpd-14 - oi-build sfw
> web/wget - oi-build sfw
>
> _______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> http://openindiana.org/mailman/listinfo/oi-dev
More information about the oi-dev
mailing list